Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05.

Similar presentations


Presentation on theme: "Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05."— Presentation transcript:

1 Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05 Thomas DeMartini

2 Copyright © 2005, ContentGuard, Inc. Outline Background –REL –Web Services WS-Security REL Token Profile –Authentication/Integrity –Confidentiality Higher-order Operations –Authorization –Trust-managed Authorization –Delegated Authorization –Federated Authorization

3 Copyright © 2005, ContentGuard, Inc. REL ISO/IEC 21000-5 specifies a Rights Expression Language (REL) for coding Rights Expressions (Licenses) At the high level, a License consists of 5 main building blocks: –Principal –Right –Resource –Condition –Issuer Makes the high-level statement: Issuer says Principal can do Right to Resource under Condition

4 Copyright © 2005, ContentGuard, Inc. REL Issuer says Principal can do Right to Resource under Condition Bob says Alice can play tree.jpg in the month of April

5 Copyright © 2005, ContentGuard, Inc.... 2004-04-01T00:00:00Z 2004-05-01T00:00:00Z... ycD......... 2004-04-09T21:59:55Z... 2004-04-01T00:00:00Z 2004-05-01T00:00:00Z... ycD......... 2004-04-09T21:59:55Z REL Bob says Alice can play tree.jpg in the month of April

6 Copyright © 2005, ContentGuard, Inc.... 2004-04-01T00:00:00Z 2004-05-01T00:00:00Z... ycD......... 2004-04-09T21:59:55Z... 2004-04-01T00:00:00Z 2004-05-01T00:00:00Z... ycD......... 2004-04-09T21:59:55Z REL possessProperty Student Bob says Alice is a student in the month of April

7 Copyright © 2005, ContentGuard, Inc. Web Services Thirsty Programmer Alice Soda++ Service On its way! SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Please send one case of Soda++

8 Copyright © 2005, ContentGuard, Inc. WS-Security REL Token Profile WS-Security: SOAP Message Security –Defines Security header for SOAP Messages Security Tokens Signatures Encryption Information WS-Security: REL Token Profile –Defines how to use a Rights Expression (License) as a Security Token. –License Security Tokens are called REL Tokens for short.

9 Copyright © 2005, ContentGuard, Inc. Authentication/Integrity Thirsty Programmer Alice Soda++ Service On its way! SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send one case of Soda++ REL Token root says key123 is Alice Signature Reference SigValue=ABC SigKey

10 Copyright © 2005, ContentGuard, Inc. Confidentiality Thirsty Programmer Alice Soda++ Service On its way! SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send one case of Soda++EncryptedData CipherValue=DEF REL Token root says key456 is Soda++ Service EncryptedKey Reference CipherValue=HIJ KEK

11 Copyright © 2005, ContentGuard, Inc. Building Higher-order Operations Got baseline WS-Security Features: –Authentication –Integrity –Confidentiality Higher-order Operations: –Authorization –Trust-managed Authorization –Delegated Authorization –Federated Authorization

12 Copyright © 2005, ContentGuard, Inc. Authentication/Integrity Authorization Thirsty Programmer Alice Soda++ Service On its way! SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send one case of Soda++ REL Token root says key123 is Alice Signature Reference SigValue=ABC SigKey REL Token root says Alice can order Soda++

13 Copyright © 2005, ContentGuard, Inc. Authorization Thirsty Programmer Alice Soda++ Service On its way! SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send one case of Soda++ REL Token root says key123 is Alice Signature Reference SigValue=ABC SigKey REL Token root says Alice can order Soda++ REL Token root says key123 can order Soda++

14 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Consider the following use case: –Student Alice takes an online class. As part of the class she gets a license authorizing her to view the online lecture videos until the end of the semester. She does not get to keep watching the lecture videos after the end of the semester or share them with friends. To ensure that she follows these rules, she is only permitted to watch the lecture videos on a secure box certified by her university. –Alice arrives at a remote viewing terminal (secure box) and inserts her USB keychain containing her licenses. She watches the lecture video.

15 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses

16 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video REL Token onlineProf says Alice can play Lecture Video until end of semester

17 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send Lecture Video REL Token onlineUni says key123 is secureBox Signature Reference SigValue=ABC SigKey REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video

18 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Please send Lecture Video REL Token onlineUni says key123 is secureBox Signature Reference SigValue=ABC SigKey REL Token onlineProf says onlineUni secureBoxes can retrieve Lecture Video

19 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header EncryptedData (Lecture Video) REL Token onlineUni says key123 is secureBox EncryptedKey Reference CipherValue=HIJ KEK

20 Copyright © 2005, ContentGuard, Inc. Trust-managed Authorization Remote Viewing Terminal (key 123) Lecture Video Cache Lecture Video Please send Lecture Video Student Alice Licenses REL Token onlineProf says Alice can play Lecture Video until end of semester

21 Copyright © 2005, ContentGuard, Inc. Delegated Authorization Consider the following use case: –Alice signs up for MyQuotes and obtains a license authorizing her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1. –Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes. –The summarizer service then retrieves the stock quotes, creates the summary, and sends it to Alice.

22 Copyright © 2005, ContentGuard, Inc. Delegated Authorization Summarizer Service (key 123) Quote Service Quote GetQuote Investor Alice Licenses

23 Copyright © 2005, ContentGuard, Inc. Delegated Authorization Summarizer Service (key 123) Quote Service Quote GetQuote Investor Alice Licenses REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1 SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Signature Reference SigValue=ABC SigKey GetQuote REL Token Notary1 says key123 exec exch agr REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1 REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1

24 Copyright © 2005, ContentGuard, Inc. Federated Authorization Consider the following use case: –Alice signs up for MyQuotes and obtains a license authorizing her to get real time NYSE stock quotes. She can also delegate this right to others that have executed the NYSE exchange agreement as certified by Notary1. –Alice likes to see graphs rather than numbers. She has a summarizer service which provides her such graphs. So she can get real-time graphs, she delegates to the summarizer service the right to get real time NYSE stock quotes. –The summarizer service has executed the NYSE exchange agreement but was certified by Notary2. –Notary1 recognizes the certifications of Notary2. –The summarizer service then retrieves the stock quotes, creates the summary, and sends it to Alice.

25 Copyright © 2005, ContentGuard, Inc. Federated Authorization Summarizer Service (key 123) Quote Service Quote GetQuote Investor Alice Licenses

26 Copyright © 2005, ContentGuard, Inc. Federated Authorization Summarizer Service (key 123) Quote Service Quote GetQuote Investor Alice Licenses REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1 SOAP Message (SOAP Envelope) SOAP Headers SOAP Body Security Header Signature Reference SigValue=ABC SigKey GetQuote REL Token Notary2 says key123 exec exch agr REL Token Notary1 says Notary2 certs recognized REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1 REL Token Alice says key123 can get quotes REL Token MyQuotes says Alice can get quotes and delegate to those that exec exch agr per Notary1

27 Copyright © 2005, ContentGuard, Inc. Discussion Background –REL –Web Services WS-Security REL Token Profile –Authentication/Integrity –Confidentiality Higher-order Operations –Authorization –Trust-managed Authorization –Delegated Authorization –Federated Authorization Copyright © 2005, ContentGuard, Inc.


Download ppt "Copyright © 2005, ContentGuard, Inc. Use of REL Tokens for Higher-order Operations DIMACS Workshop on Security of Web Services and E-Commerce 2005-May-05."

Similar presentations


Ads by Google